{"api_version":"1","generated_at":"2026-04-22T19:18:58+00:00","cve":"CVE-2022-23833","urls":{"html":"https://cve.report/CVE-2022-23833","api":"https://cve.report/api/cve/CVE-2022-23833.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-23833","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-23833"},"summary":{"title":"CVE-2022-23833","description":"An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2022-02-03 02:15:00","updated_at":"2023-11-22 23:15:00"},"problem_types":["CWE-835"],"metrics":[],"references":[{"url":"https://github.com/django/django/commit/d16133568ef9c9b42cb7a08bdf9ff3feec2e5468","name":"https://github.com/django/django/commit/d16133568ef9c9b42cb7a08bdf9ff3feec2e5468","refsource":"","tags":[],"title":"[3.2.x] Fixed CVE-2022-23833 -- Fixed DoS possiblity in file uploads. · django/django@d161335 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/","name":"FEDORA-2022-e7fd530688","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 35 Update: python-django-3.2.12-1.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://groups.google.com/forum/#%21forum/django-announce","name":"https://groups.google.com/forum/#%21forum/django-announce","refsource":"","tags":[],"title":"Redirecting to Google Groups","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.netapp.com/advisory/ntap-20220221-0003/","name":"https://security.netapp.com/advisory/ntap-20220221-0003/","refsource":"CONFIRM","tags":["Third Party Advisory"],"title":"February 2022 Django Vulnerabilities in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://groups.google.com/forum/#!forum/django-announce","name":"https://groups.google.com/forum/#!forum/django-announce","refsource":"MISC","tags":[],"title":"Redirecting to Google Groups","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/django/django/commit/f9c7d48fdd6f198a6494a9202f90242f176e4fc9","name":"https://github.com/django/django/commit/f9c7d48fdd6f198a6494a9202f90242f176e4fc9","refsource":"","tags":[],"title":"[4.0.x] Fixed CVE-2022-23833 -- Fixed DoS possiblity in file uploads. · django/django@f9c7d48 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://docs.djangoproject.com/en/4.0/releases/security/","name":"https://docs.djangoproject.com/en/4.0/releases/security/","refsource":"MISC","tags":[],"title":"Archive of security issues | Django documentation | Django","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/","name":"FEDORA-2022-e7fd530688","refsource":"","tags":[],"title":"[SECURITY] Fedora 35 Update: python-django-3.2.12-1.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.djangoproject.com/weblog/2022/feb/01/security-releases/","name":"https://www.djangoproject.com/weblog/2022/feb/01/security-releases/","refsource":"CONFIRM","tags":[],"title":"Django security releases issued: 4.0.2, 3.2.12, and 2.2.27 | Weblog | Django","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/django/django/commit/c477b761804984c932704554ad35f78a2e230c6a","name":"https://github.com/django/django/commit/c477b761804984c932704554ad35f78a2e230c6a","refsource":"","tags":[],"title":"[2.2.x] Fixed CVE-2022-23833 -- Fixed DoS possiblity in file uploads. · django/django@c477b76 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.debian.org/security/2022/dsa-5254","name":"DSA-5254","refsource":"DEBIAN","tags":[],"title":"Debian -- Security Information -- DSA-5254-1 python-django","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-23833","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23833","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"23833","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"11.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23833","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"djangoproject","cpe5":"django","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23833","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"34","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23833","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"35","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-23833","qid":"179049","title":"Debian Security Update for python-django (DLA 2906-1)"},{"cve":"CVE-2022-23833","qid":"181137","title":"Debian Security Update for python-django (DSA 5254-1)"},{"cve":"CVE-2022-23833","qid":"181236","title":"Debian Security Update for python-django (DLA 3191-1)"},{"cve":"CVE-2022-23833","qid":"183845","title":"Debian Security Update for python-django (CVE-2022-23833)"},{"cve":"CVE-2022-23833","qid":"198652","title":"Ubuntu Security Notification for Django Vulnerabilities (USN-5269-1)"},{"cve":"CVE-2022-23833","qid":"240566","title":"Red Hat Update for Satellite 6.11 Release (RHSA-2022:5498)"},{"cve":"CVE-2022-23833","qid":"240972","title":"Red Hat Update for OpenStack Platform 16.1.9 (RHSA-2022:8872)"},{"cve":"CVE-2022-23833","qid":"240979","title":"Red Hat Update for OpenStack Platform 16.2.4 (RHSA-2022:8853)"},{"cve":"CVE-2022-23833","qid":"282363","title":"Fedora Security Update for python (FEDORA-2022-e7fd530688)"},{"cve":"CVE-2022-23833","qid":"296057","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 44.113.4 Missing (bulletinapr2022)"},{"cve":"CVE-2022-23833","qid":"502340","title":"Alpine Linux Security Update for py3-django"},{"cve":"CVE-2022-23833","qid":"960505","title":"Rocky Linux Security Update for Satellite (RLSA-2022:5498)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2022-23833","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://groups.google.com/forum/#!forum/django-announce","refsource":"MISC","name":"https://groups.google.com/forum/#!forum/django-announce"},{"url":"https://docs.djangoproject.com/en/4.0/releases/security/","refsource":"MISC","name":"https://docs.djangoproject.com/en/4.0/releases/security/"},{"refsource":"CONFIRM","name":"https://www.djangoproject.com/weblog/2022/feb/01/security-releases/","url":"https://www.djangoproject.com/weblog/2022/feb/01/security-releases/"},{"refsource":"FEDORA","name":"FEDORA-2022-e7fd530688","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/"},{"refsource":"CONFIRM","name":"https://security.netapp.com/advisory/ntap-20220221-0003/","url":"https://security.netapp.com/advisory/ntap-20220221-0003/"},{"refsource":"DEBIAN","name":"DSA-5254","url":"https://www.debian.org/security/2022/dsa-5254"}]}},"nvd":{"publishedDate":"2022-02-03 02:15:00","lastModifiedDate":"2023-11-22 23:15:00","problem_types":["CWE-835"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:N/I:N/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"PARTIAL","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*","versionStartIncluding":"3.2","versionEndExcluding":"3.2.12","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*","versionStartIncluding":"4.0","versionEndExcluding":"4.0.2","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*","versionStartIncluding":"2.2","versionEndExcluding":"2.2.27","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2022","CveId":"23833","Ordinal":"226722","Title":"CVE-2022-23833","CVE":"CVE-2022-23833","Year":"2022"},"notes":[{"CveYear":"2022","CveId":"23833","Ordinal":"1","NoteData":"An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.","Type":"Description","Title":null},{"CveYear":"2022","CveId":"23833","Ordinal":"2","NoteData":"2022-02-02","Type":"Other","Title":"Published"},{"CveYear":"2022","CveId":"23833","Ordinal":"3","NoteData":"2022-02-10","Type":"Other","Title":"Modified"}]}}}